We are about to start the next talk right

here. So, I am very happy to introduce

Hanemile. Who is going to talk a little

bit about the struggles you are facing

when trying to find the next capture the

flag (CTF) adventure and how he is

proposing to solve the problem.

Please join me in welcoming Emile.

Hi, I am going to talk about CTF in a box.

It is the story of what problems we

found when playing CTFs. How we plan

to solve the problems; we built a

prototype, tested it and the problems

that came after that. So, first who am I

I am Emile, @hanmile at post platforms.

Studying computer science at Düsseldorf.

Playing CTF with @flexerilla or sometimes

as a single player.

Lets start with the current solutions.

Playing CTF we currently have, like, 3

main platforms. The most used framework

used currently is CTFd.

CTFd is the first thing you'll find if you

google "hey I want to host a CTF, what

do I do?"

Second thing is hack the box

that is another case study, well case

study. More so a framework to host CTFs

but you can't use it, because it is

actually close sourced. Meaning that

you can only play with that. The last

solution is custom frameworks. So,

these are frameworks used by teams.

They build them themselves, like

at this years CTF.

So, CTFd looks like this. People may have

played CTF may have seen it since most

CTFs are hosted on CTFd. Overall

it is pretty basic, looks bit bootstrappy.

I´ll come back to what the problems are

later. Hack the box, the people who have

not seen it, it looks like this. This is

the machine view. Because hack the

box differentiate between machines

and challenges. Challenges are simply

files from where you need to find the

flag. Machines are a bit more, where

you an actual machine from where

you need to find the flag in the actual

services running on the machine.

So, it is a bit more.

And custom ones. This is an image of

a current CTF organised by HXV.

It is pretty much CTFd but, but built by

their own.

So, what are the problems with this?

Well, lets start with CTFd, where there

aren't actual problems, in my opinion.

It is mostly a static hoster, for files

you want people to use for the CTF and

some custom infrastructure for score

board, registration and stuff like that.

Hack the box is kind of close sourced,

why I say "kind of" because you can

actually use it, you can see how it is

built up, you could build it your self

and the problem we had when playing

with hack the box was that we had some

reverse shells at the root of the

challenges. As well as other problems like

multiple people writing in to some

challenges and that some files where

there, that should not have been. Which

was really annoying sometimes. Like we

started a challenges and saw that there

is a reverse shell for getting root in

root, you don't have to do anything.

There are shared challenge instances

the problem we saw that was you

have multiple hundre people playing the

same instance, where we could see what

other people where uploading to the

instance. Which kind of helped us and

found out that it could be kind of

optimised. The third problem, well

problem, but it is custom frameworks.

You might find errors in custom frameworks

allowing to get flags that aren't used

without solving the challenge. So, it is

now a ping pong between finding a problem

and finding a solution. The simplest

solution we tried to implement at our CTF

at a local hackrrspace was to generate

a single challenge instance for every

player/ team. This means that every

challenge we built was simply a docker

container somewhere and for everyone

who wanted to play it started a new docker

contianer. We first thought that this

would bring a lot of overhead, but it

didn't. We started multiple hundred

containers and it worked out fine. The

problem with this is that if you put

everything in a doker container docker

escapes and sandbox escapes get really

useful. It would be fatal if someone could

breakout of the container. We got

solutions for the possible problems.

You could place everything in a VM or

nsjail in order to isolate the process.

Stopping people from actually breaking

out. Another possible solution would be

to make it possible for people to break

out, which you don't actually want to

make possible. But you don't want people

to have anything in case; custom flags

for custom teams.

We did by implementing our docker

containers as - or we implemented the

challenges or the flags get put into the

docker via environment variables.

So when you are starting your docker

container you just set an environment

variable with you flag. And in the docker

container you have a little scrip that is

pushing your flag to the place you want

it to be. Then unsetting the environment

variable and deleting everything else.

Meaning no trace of the flag, where there

should not be. That worked out pretty

well. So, that is the CIRCUS prototype

that we used.

A little story for that - we had the

18th anniversary of our hackerspace

this year and we thought that we

need a CTF for that.

In a week before we realised that it is

in a week so we quickly started building

a prototype for it.

And called it CIRCUS.

Because it looks like a circus.

That is a graph showing how the

containers interact with each other.

The goal with this was that we wanted a

place where the teams could register

and get a known companion.

A companion in our system was a place

where people could go and spawn

individual contianers.

Because companion spawns in VPN

containers impacts s all other containers

in to that network.

So, people would go and get the VPN

config and can access the challenges.

It is really similar to how hack the box

works. A problem with this was that

we got one companion container per user

or per team. And we got n challenges

that can be spawn. Meaning that we got

n teams with m challenge computers

we end up with a lot of containers.

What you are seeing here is just a listing

of all the containers that we had spawn

after day 1 of the CTF, with 10

participants or so. But we had like

50 containers at that point.

Which was quite a bit.

At the end of the CTF we had about

120 container up and running.

You might think that a lot of contianers

and people doing stuff in the contaienrs

that must cost a lot of computational

power. But it actually worked out.

We had set up a virtual machine

8 core 16 bit of RAM, and it always

looked like nothing at all was

happening. Until someone set up

a cryptominer and had fun with that.

Since, we went on a machine and saw

"Where is this load coming from?"

We identified that this was a container

that some of the team set up.

Not me.

We had some people try with names,

we screwed up the sanitation a bit

because it was all really quick and that

is a learning for everything - that

it doesn't work.

The XSS you are seeing here didn't also

work for the person trying it

- which was kind of weird.

We did set up a super basic scoreboard.

So, as you can see we tried to build a

CTF framework on our own.

And it kind of worked, it was all

built in a few days and very much

like shitty CTFd.

What we want to do now is to find out

what we want to do and what we don't.

What we want to do is to allow

people to spawn containers

with their challenges. So, we solved

the problem of multiple people

acting on one challenge or instance

of a challenge.

By allowing this we don't allow them to

spawn infinite containers.

Maybe some of you have played Alice CTF

or GM CTF.

That was pretty fun because there

was a challenge exciting

devops challenge and it was exactly like

this. You could spawn containers/

a complete set up for you to play in.

But you had to do a proof of work, meaning

to calculate something so that you could

not just spawn challenge instances as much

as you liked.

Another thing you might keep in mind

when doing this is to not mount the

docker socket into everything.

As fun as it is to spawn docker

containers from docker containers, it is

a giant security risk. If people have

access to the docker socket they can

docker containers and do shit.

Dos and don'ts.

A lot of players do execute stuff in

containers. Just having a container with

just static files are fun, but we wanted

to have more. Allowing people to

execute stuff in containers can be

problem, but you can limit what people can

do. Meaning that allow people to do stuff

but don't allow them to do too much.

And that worked out in our case.

As said before, we tried it with like 10

people in our local CTF.

Seeing where the problems get when we

put really good CTF teams on it, and to

see if they can break out would be really

interesting to see.

As I said, don't allow, or allow people

to do stuff, but don't allow them to do

too much stuff.

Implement techniques so that it works

out. One thing that I had to keep in mind

was to keep things simple.

During the CTF I realised that, we built

a lot of stuff and it was a little bit

overcomplicated and made things a little

bit too hard to fix. I would keep in mind

for future CTF frameworks to keep it as

simpel as possible, in case anything

breaks it will be a 5 minute job to fix it

If you where to lazy to lisen, here is a

recap. Create new platforms, CTF

platforms are really interesting.

I found a lot of topics I could work in to

while building this and I am not at the

end yet. There is still a lot of things

that I need to look into. But to allow

for a place to play the game and limit

the bad stuff. For people thinking why

docker, people at our local hackerspace

ask all the time "why are you using docker

since there are so many known exploits for

that?"

Finding alternativs would have been an

option, but I am used to docker - and

I actually wanted to used docker.

So, that was kind of nice.

So if you know a better solution: find the

solution, implement it and try out the

CTF. Another thing I wanted to say here

that while using docker it might be

insecure, but you could also implement a

lot of stuff inorder to secure it.

Like implementing custom flags for teams,

so if a teams has got a custom flag

it can't just break out of the container

and get the flag from another team.

Since it is really team specific.

That was what we wanted to do with the

environment variable in the challenge

containers. Because then we could start

the containers as we went.

That's actually the end.

What I still want to say is that sometimes

next year we want to play the CIRCLE CTF

with the platform we built, just to try it

out, but at a larger scale. So, if you

are an active CTF player we are going to

be there and organise a complete new CTF

with us with fun challenges.

I got some of the challenges with me so,

if you are interested in how this might

look or what can be done then just come

to my table.

Also, if you are interested in discussing

solutions on how this could be done better

then just drop by.

If you got questions, watching the live

stream then just tweet me at: @hanemile.

That was it.

Does anyone got any direct questions.

Thanks again Emile.

Translated by CS (ITKST56 course assignment at JYU.FI)